We recently saw a hacker probing for usage of the WordPress plugin Booking Calendar on our website and third-party websites with the following request:
/wp-content/plugins/booking/readme.txt [Read more]
Recently WPScan claimed that there had been an admin+ stored XSS vulnerability in the plugin SEOPress, which they described this way:
…
WPScan is claiming that the latest version of Event Tickets fixed a Contributor+ arbitrary events access vulnerability, which they described this way:
…
Two days ago, we discussed one vulnerability that was recently fixed in the WordPress backup plugin FastDup, while looking into why a hacker might be targeting the plugin. There was another vulnerability that was supposed to have been fixed. Patchstack claimed that there had been a sensitive data exposure via log file vulnerability in the plugin. As usual, they didn’t provide the information needed to check if the vulnerability was real and if it was real, it had been fixed. It appears either they got some basic details wrong about the vulnerability and it wasn’t fixed or what they were claiming was a vulnerability wasn’t a vulnerability, but there was a similar vulnerability really in the plugin. Confused? So are we. So let’s go through what we found.
The vulnerability was supposed to be fixed in version 2.1.8 of the plugin. The change made in that version was to modify an additional value added to filenames of files created by the plugin from the current time using the PHP function time() to a randomly generated value. That would make it harder to guess the names of files, but with either one, it isn’t something that would be easy to guess, unless you knew when a backup was made. The files should be blocked from being accessed directly, so the name shouldn’t even matter. [Read more]
The changelog for the latest version of the 1+ million install WordPress security plugin All-In-One Security (AIOS) is:
SECURITY: Added nonce checks to various list table actions to prevent a CSRF vulnerability. Thanks to dhakal_ananda for disclosing this defect. This would allow an attacker who persuaded a logged-in administrator to visit a specially crafted link to perform actions on the 404 event records. [Read more]
We recently had a hacker probing for usage of the WordPress plugin FastDup on our website with the following request:
/wp-content/plugins/fastdup/readme.txt [Read more]
Last Tuesday, someone was claiming to have found a vulnerability in the WordPress plugin Shariff Wrapper. As at least one of our of customers was using the plugin, we went to check to see if there was an obvious serious vulnerability in the plugin. We didn’t see anything. We then started keeping an eye to see if there was a new version of the plugin was released. On Friday, an update to the plugin was released that was supposed to address the issue. The relevant changelog reads, “security fix (thanks to Dmitrii Ignatyev from CleanTalk inc.)” Looking at the changes made, we found that the developer had incompletely fixed an authenticated persistent cross-site scripting (XSS) vulnerability. It is rather minor, as the vulnerability would require the attacker to have access to modify a post or page. They could then add one of the plugin’s shortcodes with JavaScript code in it.
…
The changelog for the latest version of Easy Digital Downloads has a couple of entries that suggest that security changes have been made to the plugin. In looking over the changes that were made, we found an undisclosed minor vulnerability fix happening. As the relevant code was being moved and reformatted, it seems possible that this wasn’t addressed as a vulnerability fix, so it wasn’t mentioned in the changelog. Or it was being hidden (that happens, unfortunately). The vulnerability involved cross-site request forgery (CSRF) and we found an additional instance of it in similar code that still exists in the plugin. We have notified the developer of that and offered to help them fix it.
…
We recently had a hacker probing for usage of the WordPress plugin BERTHA AI on our website with the following request:
/wp-content/plugins/bertha-ai-free/readme.txt [Read more]
Earlier today, we had an apparent hacker probing our website to see if we were using the WordPress plugin Cookie Information with this request:
/wp-content/plugins/wp-gdpr-compliance/Assets/js/front.min.js [Read more]